Wednesday, June 04, 2008

Here below follows a brief report from EDRI on ENISA´s call for legislation addressing social networking sites. I´ve checked my mail, and ENISA, funnily enough, has not yet announced the below proposal to registrants. Let it be said that ENISA has thus far concerned itself with online _security_, not to be confused with online _safety_. As such, their discourse to date has tended to focus on and at the level of the hardware or code, i.e. systems, rather than direct people-safety.

But considering social networking, isn´t it that you are only as vulnerable as the weakest link in your friendship chain? If you don´t "friend" just anyone, and cordon off your profile to a limited set, you might smugly sit back and think that you´re safe from your details being snatched. But what if one or a couple of your friends are, let´s call them "digitally promiscuous" -- they friend anyone and everyone -- where does that leave the user intent on being more prudent in their social networking habits? Just a thought. Nothing original about it.

I have yet to read the ENISA report btw.

-----EDRI-gram - Number 6.11, 4 June 2008Social networking sites might be regulated in EU4 June, 2008» Privacy SecurityOn 27 May 2008, the European Network and Information Security Agency (ENISA) called for new legislation that would regulate social networking sites. ENISA, which was created in 2004 to oversee online security measures in the 27 EU countries, issued a preliminary report of its General Report in which it pointed out that social networking sites such as Facebook and MySpace need more regulation to protect their users against security risks. "Social networking sites are very useful social tools but we must make recommendations for how to better protect people from the risks these sites create," said Andreas Pirotti, executive director of ENISA and author of the report. He suggested the EU legislation should be expanded in order to "cover the taking of photos of people and posting them on the internet".

In Pirotti's opinion, network security is under a permanent threat from spammers or criminals. "Internet security is extremely important, considering how much business takes place online now. We don't want infrastructures to be disrupted, we don't want a digital 9/11 to happen," he said. He also considers crucial to "raise awareness about how social networking sites work. Few people realize that they can be offered up as friends to people they don't know. Also, many people don't realize that it's almost impossible to erase material once it has appeared on the internet".

Some of the threats related to social networking identified by ENISA are related to face recognition, digital dossiers, reputation damage, social engineering attacks on enterprises, phishing attacks, ID theft and others. The report of the organisation includes 19 recommendations to social networks on ways to improve their security practices.

Among other things, ENISA calls for a regulatory review of social networking frameworks, an increased transparency of data handling practices, more education for users on security, and the discouragement or even banning of social networking in schools.

A study conducted by enterprise IT management company CA and the National Cyber Security Alliance in 2006 found out that the majority of users of social networking sites were not very aware of the security issues involved. 83 percent of them admitted having downloaded unknown files from unknown users and 74 percent said that they were easily providing the personal data online. Also, a Symantec report issued in 2007 showed that social networking sites offer easy pickings for phishers. The security practices of the respective sites make it easier to invade and to spread attacks to more people.